UPDATE 2013-04-04 1:25 PM EDT:All passwords have been reset. Users will have to use the “Forgot password” function to set a new password.

UPDATE 2013-04-04 6:06 PM EDT: Those interested in knowing if one of their passwords was one of the less secure may use this tool to check their email address. No matter the result with that tool, the only way to be 100% secure is to change your password on other sites if you also used it here.

ScienceBasedMedicine.org (SBM) was recently hacked, and user account information may have been stolen: usernames, passwords, and email addresses. Most of the potentially stolen passwords were strongly encrypted — that is, extremely difficult to read. About 2000 random accounts, roughly 5% of the total, were not protected as effectively and may be at greater risk.

If your SBM password was used for any other service, website, or account, you should change that duplicate password as soon as possible. (For example: if your SBM password is the same as your password for Gmail, you should immediately go to Gmail and change your password there.)

When hackers get your password from one place, they often try to use the same password with other services and websites. Unfortunately, this is a fairly effective strategy, because many people use the same password for many of their logins. This is why all security experts strongly recommend using unique passwords for all critical services.

What exactly happened to ScienceBasedMedicine.org?

On Sunday, March 10, hackers successfully gained access to the SBM server, and attempted to use it to attack other servers. Eventually it gave itself away by using too much computing power.

On Monday, April 1, our hijacked server was shut down by the service provider. We remained offline for a full day as we repaired the damage and strengthened our protections against hackers. SBM is now back online but all users will have to reset their passwords before commenting again.

There is no way to know if the attacker actually took any data from ScienceBasedMedicine.org itself, but the safest course is to act on the assumption that they did. However, most of that data was strongly protected by encryption — standard practice for user account information on WordPress blogs for exactly this reason. (You can find details on this encryption here.)

Nevertheless, we know that some of the passwords (again, only about 5%) were less protected. (Specifically, they used an older MD5-based encryption.) Therefore, we strongly urge all SBM users to make sure they are not using their SBM password anywhere else.

SBM login is now available, and will require you to reset your password.